This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 238116 - $variable = $_POST['firstname']; produces a warning
Summary: $variable = $_POST['firstname']; produces a warning
Status: RESOLVED INVALID
Alias: None
Product: php
Classification: Unclassified
Component: Editor (show other bugs)
Version: 7.4
Hardware: All All
: P3 normal (vote)
Assignee: Ondrej Brejla
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-07 22:11 UTC by Neobean
Modified: 2019-05-13 05:42 UTC (History)
0 users

See Also:
Issue Type: DEFECT
Exception Reporter:

Attachments
netbeans 7.4: $variable = $_POST['firstname']; produces a warning (170.99 KB, image/png)
2013-11-07 22:11 UTC, Neobean 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Neobean 2013-11-07 22:11:24 UTC 
Created attachment 141953 [details]
netbeans 7.4: $variable = $_POST['firstname']; produces a warning

Hi

I would like to report what I think is a bug.

If make a variable to for example capture a user's input then I get a warning from the editor:

Which says: 

"Do not Access Superglobal $_POST Array directly"
"Use some filtering functions instead (e.g filter_input(), conditions with is_* () functions, etc.).

I have talked with others and they tell me that this isn't an appropriate warning and that I should file a bug report, which is what I'm doing !

Also, I'm told that this behaviour doesn't exist in Netbeans 7.3.1, which only add to my suspicion that this is infact a bug or at least odd behaviour.
Comment 1 Ondrej Brejla 2013-11-08 06:34:44 UTC 
It's an intent. You should never ever access superglobals directly. For security reasons. Just google that. There are also PHP native functions to filter that arrays and to work with 'em securely - e.g. filter_input(). If you don't want to use that hint, just disable it. But it's *hardly* recommended to follow it.
Comment 2 Ondrej Brejla 2013-11-08 06:35:58 UTC 
It's a new hint in 7.4 so it can't be in 7.3.1 ;) You can disable hints in Tools->Options->Editor->Hints->PHP.
Comment 3 Neobean 2013-11-08 14:09:05 UTC 
(In reply to Ondrej Brejla from comment #2)
> It's a new hint in 7.4 so it can't be in 7.3.1 ;) You can disable hints in
> Tools->Options->Editor->Hints->PHP.

Hi Ondrej

Thank you for clarifying - I'll forward your reply to others in order to help with avoiding that bugzilla gets flooded with similar bug reports.

As a side remark I would like to say that I find this warning solution a bit odd and wonder if it wasn't possible to create something which didn't "interfere" with the clean view the editor normally has - an interface with no warnings usually means that one is good to go, besides, if this issue (e.g the lack of a warning) hasn't been a problem before, then I find it strange that there has arisen a need to have this all of a sudden.
Comment 4 Ondrej Brejla 2013-11-08 14:17:28 UTC 
(In reply to Neobean from comment #3)
> if this issue (e.g the lack of a warning) hasn't been a problem before

It was a *big* security problem all the time, but probably you didn't know that. Now we implemented a hint, which warns you that your code is not secure. You figured it out that't great! Mission accomplished. Our hint helped you to write more secure code. Win/win :)
Comment 5 Pokemon999 2019-05-13 05:42:01 UTC 
I am here for the share this nice post looking here http://gethelpwindows10.com and seen the microsoft windows 10 help support to connect the latest version.